Wednesday, 16 February 2005

As I mentioned previously, I recently discovered the wonders
of Netfilter's recent module, and have decided to try and employ it to ward
off the evil script kiddies and their brute force SSH scripts.

As I like to be able to SSH to my server from where ever I happen to be, and
I won't necessarily have the infrastructure to use public key based
authentication, I thought I'd see how a bit of selective packet filtering
would go.

This will allow three port 22 connections from any given IP address within a
60 second period, and require 60 seconds of no subsequent connection
attempts before it will resume allowing connections again. The --rttl option
also takes into account the TTL of the datagram when matching packets, so as
to endeavour to mitigate against spoofed source addresses.

As an additional nicety, I could refine this to use a custom chain and a
whitelist that exited the chain for source IPs that were trusted.

I'm going to run this ruleset on my server for a while and see if I

don't lock myself out

make a dent in SSH brute force attacks

Update

After much discussion with Juergen Kreileder, this ruleset would appear to be
slightly better: